Win.Downloader.97183-1 Office (OLE) / .DOC malware analysis — malicious · 6e01bde6eed5b71a

MALICIOUS

Office (OLE) / .DOC

195.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: a49134a7fce8d8127a9590c69e9cccaa SHA-1: 47c352e8538e40952341e037a2012c82cd6161a3 SHA-256: 6e01bde6eed5b71a143527eba6b2e69086f226f0d260a84350facf75719235d1

622 Risk Score

Malware Insights

Win.Downloader.97183-1 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample exploits CVE-2006-6456 in Microsoft Word, a known vulnerability for client execution. It contains an embedded PE executable and references to APIs like CreateProcess, WriteProcessMemory, and CreateRemoteThread, indicating it likely downloads and executes a secondary payload. The presence of cmd.exe and suspicious command-line tokens further suggest execution of downloaded content.

Heuristics 14

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Downloader.97183-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.97183-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 199,680 bytes but its declared streams total only 94,801 bytes — 104,879 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://%s:%d/net/B%s/search%s.php
- http://%s:%d/net/B%s/serinfo
- http://about:blank

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_000213fc.exe` `7e5003a8fb08069c849daf4d2f74b7ab1a58ea84e0c2ca35027682cc1873dec6`	embedded-pe	Office MZ+PE at offset 0x213FC	63492 bytes
Detection ClamAV: Win.Downloader.97183-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.